-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(core): handle Request
-> Response
regressions
#5991
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
🎉 Experimental release published 📦️ on npm! pnpm add next-auth@0.0.0-pr.5991.5c72424c yarn add next-auth@0.0.0-pr.5991.5c72424c npm i next-auth@0.0.0-pr.5991.5c72424c |
I'm still having some issues with I get an error page with the error To debug further, I modified the console.log('request url =>', urlOrError);
console.log('response body =>', response.body.toString()); The result of these console logs are:
It looks like the url path is a bit wonky. The path should be Edit: Looks like duplication in the path isn't necessarily the cause. I temporarily changed the path in the Edit 2: But it does look like the base path is likely the main trigger here. I jumped in the |
Looks like one option is to update these lines in the getURL method with the following to strip any path from the if (host.startsWith("http://") || host.startsWith("https://")) {
return new URL(`${host.replace(/(https?:\/\/[^/]+)\/?.*/, '$1')}${url}`)
}
return new URL(`https://${host.replace(/([^/]+)\/?.*/, '$1')}${url}`) |
Hmm...though another issue that crops up from stripping the path from the host is that anywhere that we call that
|
Perhaps we should do something like this in there? So basically first we take just the part of the path starting with the last const nextauth = url.pathname.substring(url.pathname.lastIndexOf("/api/auth")).split("/").slice(3); |
The custom basepath handling is on my todo list, it's not checked off in the description as you can see in #5991 (comment) 👍 Based on your URL Thanks! |
I'll merge this PR for now to fix the two other issues, I did not manage to fix this today, postponing the custom base path fix tomorrow, will follow up in a separate PR. |
Sounds good! Thank you! |
Thanks guys, literally spent the complete past day just trying to debug CredentialsProvider (jwt ofc) not creating session cookie in prod and had absolutely no clue why, and woke up to this fix. At least I know the full NextAuth doc by heart now. |
* fix(core): properly construct url (nextauthjs#5984) * chore(release): bump package version(s) [skip ci] * fix(core): add protocol if missing * fix(core): throw error if no action can be determined * test(core): fix test * chore(release): bump package version(s) [skip ci] * chore(docs): add new tutorial (nextauthjs#5604) Co-authored-by: Nico Domino <yo@ndo.dev> * fix(core): handle `Request` -> `Response` regressions (nextauthjs#5991) * fix(next): don't override `Content-Type` by `unstable_getServerSession` * fix(core): handle `,` while setting `set-cookie` * chore(release): bump package version(s) [skip ci] * fix(sequelize): increase sequelize `id_token` column length (nextauthjs#5929) Co-authored-by: Nico Domino <yo@ndo.dev> * fix(core): correct status code when returning redirects (nextauthjs#6004) * fix(core): correctly set status when returning redirect * update tests * forward other headers * update test * remove default 200 status * fix(core): host detection/NEXTAUTH_URL (nextauthjs#6007) * rename `host` to `origin` internally * rename `userOptions` to `authOptions` internally * use object for `headers` internally * default `method` to GET * simplify `unstable_getServerSession` * allow optional headers * revert middleware * wip getURL * revert host detection * use old `detectHost` * fix/add some tests wip * move more to core, refactor getURL * better type auth actions * fix custom path support (w/ api/auth) * add `getURL` tests * fix email tests * fix assert tests * custom base without api/auth, with trailing slash * remove parseUrl from assert.ts * return 400 when wrong url * fix tests * refactor * fix protocol in dev * fix tests * fix custom url handling * add todo comments * chore(release): bump package version(s) [skip ci] * update lock file * fix(next): correctly bundle next-auth/middleware fixes nextauthjs#6025 * fix(core): preserve incoming set cookies (nextauthjs#6029) * fix(core): preserve `set-cookie` by the user * add test * improve req/res mocking * refactor * fix comment typo * chore(release): bump package version(s) [skip ci] * make logos optional * sync with `next-auth` * clean up `next-auth/edge` * sync Co-authored-by: Balázs Orbán <balazsorban44@users.noreply.github.com> Co-authored-by: Thomas Desmond <24610108+thomas-desmond@users.noreply.github.com> Co-authored-by: Nico Domino <yo@ndo.dev> Co-authored-by: Cyril Perraud <perraud.cyril@gmail.com>
* WIP use `Request` and `Response` for core * bump Next.js * rename ts types * refactor * simplify * upgrade Next.js * implement body reader * use `Request`/`Response` in `next-auth/next` * make linter happy * revert * fix tests * remove workaround for middleware return type * return session in protected api route example * don't export internal handler * fall back host to localhost * refactor `getBody` * refactor `next-auth/next` * chore: add `@edge-runtime/jest-environment` * fix tests, using Node 18 as runtime * fix test * remove patch * upgrade/add dependencies * type and default import on one line * don't import all adapters by default in dev * simplify internal endpoint config Instead of passing url and params around as a string and an object, we parse them into a `URL` instance. * assert if both endpoint and issuer config is missing * allow internal redirect to be `URL` * mark clientId as always internally, fix comments * add web-compatible authorization URL handling * fix type * fix neo4j build * remove new-line * reduce file changes in the PR * simplify types * refactor `crypto` usage In Node.js, inject `globalThis.crypto` instead of import * add `next-auth/web` * refactor * send header instead of body to indicate redirect response * fix eslint * fix tests * chore: upgrade dep * fix import * refactor: more renames * wip core * support OIDC * remove `openid-client` * temprarily remove duplicate logos * revert * move redirect logic to core * feat: add sveltekit auth * wip fix css * revert Logo component * output ESM * fix logout * deprecate OAuth 1, simplify internals, improve defaults * refactor providers, test facebook * fix providers * target es2020 * fix CSS * fix AuthHandler, add getServerSession * update lock file * make logos optional * sync with `next-auth` * clean up `next-auth/edge` * sync * Sync (#2) * fix(core): properly construct url (#5984) * chore(release): bump package version(s) [skip ci] * fix(core): add protocol if missing * fix(core): throw error if no action can be determined * test(core): fix test * chore(release): bump package version(s) [skip ci] * chore(docs): add new tutorial (#5604) Co-authored-by: Nico Domino <yo@ndo.dev> * fix(core): handle `Request` -> `Response` regressions (#5991) * fix(next): don't override `Content-Type` by `unstable_getServerSession` * fix(core): handle `,` while setting `set-cookie` * chore(release): bump package version(s) [skip ci] * fix(sequelize): increase sequelize `id_token` column length (#5929) Co-authored-by: Nico Domino <yo@ndo.dev> * fix(core): correct status code when returning redirects (#6004) * fix(core): correctly set status when returning redirect * update tests * forward other headers * update test * remove default 200 status * fix(core): host detection/NEXTAUTH_URL (#6007) * rename `host` to `origin` internally * rename `userOptions` to `authOptions` internally * use object for `headers` internally * default `method` to GET * simplify `unstable_getServerSession` * allow optional headers * revert middleware * wip getURL * revert host detection * use old `detectHost` * fix/add some tests wip * move more to core, refactor getURL * better type auth actions * fix custom path support (w/ api/auth) * add `getURL` tests * fix email tests * fix assert tests * custom base without api/auth, with trailing slash * remove parseUrl from assert.ts * return 400 when wrong url * fix tests * refactor * fix protocol in dev * fix tests * fix custom url handling * add todo comments * chore(release): bump package version(s) [skip ci] * update lock file * fix(next): correctly bundle next-auth/middleware fixes #6025 * fix(core): preserve incoming set cookies (#6029) * fix(core): preserve `set-cookie` by the user * add test * improve req/res mocking * refactor * fix comment typo * chore(release): bump package version(s) [skip ci] * make logos optional * sync with `next-auth` * clean up `next-auth/edge` * sync Co-authored-by: Balázs Orbán <balazsorban44@users.noreply.github.com> Co-authored-by: Thomas Desmond <24610108+thomas-desmond@users.noreply.github.com> Co-authored-by: Nico Domino <yo@ndo.dev> Co-authored-by: Cyril Perraud <perraud.cyril@gmail.com> * merge * clean up sveltekit auth handler * upgrade playground to latest * upgrade sveltekit auth to latest * Some more refactoring * feat: extract type to core and reuse in sveltekit * remove uuid * make secret required in dev * remove todo comments * pass through OAuth client options * generate declaration map * default env secret to AUTH_SECRET * temporary Headers fix * move pages to lib * move errors to lib * move pages/index to lib * move routes to lib * move init to lib * move styles to lib * move types to lib * move utils to lib * fix imports * update ignore/clean patterns * fix imports * update styles ts * update gitignore * update exports field * revert `next-auth` * remove extra tsconfig files * remove `private` from package.json * revert * feat sveltekit * commit * remove unused file, expose type * remove nextauth_url, memoize locals.getSession * move to dependency * fix * format * fix post build * simplify * fix lock file * add packages/frameworks * update package.json * update gitignore * Delete .gitignore * Update types.ts * Update tsconfig.dev.json * skip test * format * skip format/lint Co-authored-by: Balázs Orbán <info@balazsorban.com> Co-authored-by: Balázs Orbán <balazsorban44@users.noreply.github.com> Co-authored-by: Thomas Desmond <24610108+thomas-desmond@users.noreply.github.com> Co-authored-by: Nico Domino <yo@ndo.dev> Co-authored-by: Cyril Perraud <perraud.cyril@gmail.com>
#4769 was a major internal refactoring that caused some bugs to surface:
Set-Cookie
headers have been incorrectly split, which is now handled correctly (see: Use case for Headers getAll whatwg/fetch#973). Fixes Set-Cookie header is split in half by comma in Expires section #5989unstable_getServerSession
overrode theContent-Type
header, which broke the rendering of SSR pages (usinggetServerSideProps
). Fixes 4.18.1 causes app to render in a <pre> tag when usingunstable_getServerSession
#5986- [ ] Parsing the host header has introduced some unexpected behavior in production. host detection/Needs more work, will follow up in a separate PRNEXTAUTH_URL
breaks in some cases #5953